Professional Documents
Culture Documents
DUQU 2.0: Frequently Asked Questions
DUQU 2.0: Frequently Asked Questions
0:
FREQUENTLY ASKED QUESTIONS
Kaspersky Lab.
Introduction
In early spring this year, Kaspersky Lab detected a cyber-intrusion affecting several of its
internal systems. We immediately launched an intensive investigation, which led to the
discovery of a carefully planned cyber-espionage attack carried out by the same group that
was behind the infamous 2011 Duqu APT. We believe this is a nation-state sponsored
campaign.
Duqu is a sophisticated malware platform discovered by CrySyS Lab, and investigated by
Kaspersky Lab in 2011. Its main purpose was to act as a backdoor into the system and
facilitate the theft of private information. In 2011 Duqu was detected in Hungary, Austria,
Indonesia, the UK, Sudan and Iran. There are clues that Duqu was used to spy on the Iran
nuclear program and also to compromise Certificates Authorities to hijack digital certificates.
These certificates were used to sign malicious files to evade security solutions.
Kaspersky Lab believes the attackers were certain it was impossible to discover the
cyberattack. They did everything possible to avoid exposure: the attack included some
unique and earlier unseen features and almost didnt leave any traces. The attack exploited
zero-day vulnerabilities and after elevating privileges to domain administrator, the malware
spread in the network through MSI files which are commonly used by system administrators
to deploy software on remote Windows computers. The cyberattack didnt create or modify
any disk files or system settings, making detection almost impossible. The philosophy and
way of thinking of the Duqu 2.0 group is a generation ahead of anything seen in the APT
world. But thanks to our technologies and top class researchers, we caught them.
To mitigate this threat, Kaspersky Lab is releasing Indicators of Compromise and would like
to offer its assistance to all interested or affected organizations. Also, procedures for
protection from Duqu 2.0 have been added to the companys products.
More details on the Duqu 2.0 malware can be found in the technical report.
2
DUQU 2.0: FREQUENTLY ASKED QUESTIONS
Kaspersky Lab.
3
DUQU 2.0: FREQUENTLY ASKED QUESTIONS
Kaspersky Lab.
no additional indicators of malicious activity were detected. Also, no interference with processes
or systems was detected.
The attackers were likely aware of the companys reputation as one of the most advanced in
detecting and fighting complex APT attacks, and were attempting to find ways to make their
future attacks go undetected.
The information accessed by the attackers is in no way critical to the operation of the companys
products. Armed with information about this attack Kaspersky Lab will continue to improve the
performance of its IT security solutions portfolio.
What are the reasons to think that a nation-state is behind this attack?
Developing and operating such a professional malware campaign is extremely expensive and
requires resources beyond those of everyday cybercriminals. The cost of developing and
maintaining such a malicious framework is colossal: we estimate it to be around $50 million.
What is really remarkable here is that the entire malware platform relies heavily on zero-days. If
there is no zero-day to jump into kernel mode, the malware wont work. That could mean that the
attackers were pretty confident that should one vulnerability be patched theyd implement
another. Otherwise they wouldnt have built a platform dependent entirely on zero-days.
4
DUQU 2.0: FREQUENTLY ASKED QUESTIONS
Kaspersky Lab.
The Duqu 2.0 operation displays no objective of getting any financial profit from the use of the
malware.
The use of multiple zero-day exploits and sophisticated hacking techniques during the attack is
another indicator that it is a nation-state sponsored campaign.
Why do you think Kaspersky Lab was targeted alongside high-level government representatives?
The targeting of Kaspersky Lab represents a huge step for the attackers and is an indicator of
how quick the cyber-arms race is escalating. Back in 2011 and 2013, respectively, 1RSA and
2Bit9 were hacked by Chinese-speaking APT groups but these incidents were considered rare. In
general, an attacker risks a lot targeting a security company because they may get caught and
exposed. The exact reason why Kaspersky Lab was targeted is still not clear although we
believe the primary goal of the attack was to acquire information on Kaspersky Labs newest
defensive technologies.
Does this attack mean that there is no protection from government-grade malware?
No, it doesnt. A conventional approach to protect endpoints may not help against professional
government-grade malware. We realized this some time ago, and started developing new
technologies. Our Anti-APT solution is one such technology. We discovered Duqu 2.0 while testing
a prototype of our new anti-APT product.
APT attacks differ very much from the point of view of the skills of the threat actor and the
resources available to launch sophisticated attacks. Unfortunately, some of these campaigns
like Stuxnet, Flame and Equation can go undetected for several years. However, IT security
companies will eventually discover these campaigns as there is no such thing as perfect code
(including malicious).
https://blogs.rsa.com/anatomy-of-an-attack/
https://blog.bit9.com/2013/02/08/bit9-and-our-customers-security/
5
DUQU 2.0: FREQUENTLY ASKED QUESTIONS
Kaspersky Lab.
services can have multi-billion-dollar budgets and hundreds of thousands of employees. We can
fight back by being open, transparent and by making such malicious activities public.
Kaspersky Lab has consistently advocated responsible behavior regarding disclosure of
cyberattacks. Were confident that concealing security incidents leads to a situation in which less
information leads to less awareness, and ultimately to weaker protection. We believe that every
attacked company should disclose security incidents, which would also allow other companies to
make their defenses stronger.
Is this the first time that a nation-state group has targeted an IT security company?
Unfortunately, this is not the first nation-state linked attack against a security vendor. Previous
attacks against RSA Security and Bit9 were linked to nation-state attackers. Threat actors appear
to compromise IT Security companies as utilitarian targets, which allow them to improve their
cyber capabilities.
Perform regular updates and rebooting of all machines in the network, including domain
controllers. Rebooting removes the active malware from memory.
Make sure all your servers run x64 (64-bit) Windows. This forces the attackers to use
signed drivers for persistence mechanisms.
6
DUQU 2.0: FREQUENTLY ASKED QUESTIONS
Kaspersky Lab.
Change passwords regularly (every 1-2 months) and use strong passphrases that are
longer than 20 characters. Disable old-style LM hashes.
For more advanced users, we are providing Yara rules and a tool that can help identify infections
in memory dumps and event logs.
In addition to these, we have published an article on Securelist How to mitigate 85% of all
targeted attacks using 4 simple strategies. We recommend reading it and implementing the
suggestions in your network.
Who should I contact in case I/my company became a victim of the Duqu 2.0 campaign?
If you have any questions or information to share about this threat actor, please contact
intelreports@kaspersky.com. Thank you.
7
DUQU 2.0: FREQUENTLY ASKED QUESTIONS